Git-driven BIND (plus Fabric)

Step 0. Store your DNS configuration in Git. If you aren’t using some sort of version control system for your zone files and other BIND configuration, you ought to be. May I recommend Git? Put your entire configuration directory in there, but do read the “Downsides” section below for some important security considerations.

Step 1. Create a bare Git repository on your DNS server. Using Fabric, you’d do it something like this:

(The above assumes an Ubuntu system, where the “ubuntu” user has sudo privileges, such as on EC2; adjust to your environment as needed.)
Step 2. Add a post-receive hook. Notice that “git_post_receive()” in the fabfile snippet above? That function is nothing more than something like this:

(Again, assuming an Ubuntu environment, where BIND lives in /etc/bind.)

Step 3. Add some orchestration. You could tack on an automatic DNS reload to your post-receive hook, but you may prefer to separate control of BIND into distinct functions in your fabfile, perhaps with some tests run before applying changes:

Downsides. Note that you’re putting your rndc.key file (used to secure rndc) into Git if you put all your config files into your repository. In that case, you’ll obviously want to restrict access to the repository.

Of course, it isn’t hard to imagine an adaptation of this system where the rndc.key file is not stored in Git, but is perhaps put in place by the post-receive hook. (Call this an “exercise for the reader.”)

Alternatives. If you are using DNSSEC, a tool like nsdiff might be a better fit to manage updates to your zones.